Download SecureSync Version 4.8.9 Release Notes
Transcript
Software update Release Notes: SecureSync™ SecureSync Version 4.8.9 Release Notes Release Notes for SecureSync System software updates up to and including Version 4.8.9 Spectracom releases software updates for SecureSync on a regular basis, in order to improve features, enhance existing functionality, apply security updates and software fixes. This document captures legacy release notes for all 4.x SecureSync software updates. Newer updates are captured in a separate document, please refer to: Links to download SecureSync software and user manual updates. Table of Contents New features: .......................................................................................................................................................... 2 Software enhancements: ....................................................................................................................................... 12 Determining the version of software currently installed....................................................................................... 25 Links to download SecureSync software and user manual updates ..................................................................... 26 Spectracom Tech Support ..................................................................................................................................... 27 www.spectracomcorp.com 1 | SecureSync Release Notes 4.x New features: (Version 4.8.9) System features Extended the SNMPv3 “EngineID” field to support more than 32 characters. o “EngineID” field now supports up to 50 characters. The servget and servset CLI interface commands now include SNMP and NTP in the list of Services that can be stopped/started (or the current running status viewed) using these two CLI commands. (Version 4.8.8) Option Card features (Models 1204-07 and 1204-1A SAASM GPS receiver, if installed): Added zeroize command to CLI to support emergency zeroize and zeroize keys. Added emergency zeroize to occur with all clean commands. (Model 1204-09 E1 Output Option Card, if installed): Added SSM (Sync Status Messaging) functionality. Add 75ohm T1 (DS1) output capability. o This Option Card can now provide either 1.544 MHz / DS1 outputs OR 2.048MHz / E1 outputs. (Model 1204-12 PTP Option Card, if installed): Added PTP Unicast mode. Added PTP Minicast mode (Combination of both Unicast and Multicast modes). (Model 1204-0A T1/E1 Output Option Card, if installed): Added SSM (Sync Status Messaging) functionality. System features Added New CLI (Command Line Interface) commands: o Added two new CLI commands to support the ability to perform remote/scripted configuration file backups (includes the ‘saveconf” command to save configs to a tar file inside SecureSync and the ‘loadconf’ command to load configs from a tar file inside SecureSync). o Added the ‘sysupgrade’ CLI command to support the ability to perform remote/scripted software updates, if desired. Added three new graphs to the Status -> Disciplining page of the web browser: o Frequency Error, Phase Error and DAC values graphs were added to display the monitoring of the internal 10 MHz oscillator operation. www.spectracomcorp.com 2 | SecureSync Release Notes 4.x (Version 4.8.7) Option Card features (Model 1204-12 PTP Option Cards, if installed): Loss of PTP FollowUp packets is now detected. o If this occurs, the PTP Slaves remain in an 'Uncalibrated' state (as is also the case with the loss of Sync status or Delay_Response packets). Removed the need to “Save Settings to ROM” after configuration changes are made. The PTP module is automatically restarted, when required by configuration changes being made by a user. System features Added alarm masking capability in the Tools -> Notifications page of the web browser to allow users to be able to disable unwanted alarm indications. Note: The Log files will still indicate the alarm condition has been asserted but the corresponding Alarm/Fault lamp indications won’t be asserted. o Examples of alarm indications that can now be masked include: Antenna Problems Alarms (if the GPS antenna is not connected, for example). Frequency Alarms (if the NTP server is synced only to other NTP servers, user hand-set time, etc and therefore the oscillator is not being disciplined. This operation results in the Frequency alarm being asserted). Increased the number of ssh, ftp, scp/sftp, logins and http/https connections from 5 to 15. o This change allows 15 logins per minute for each Ethernet connection type. Added capability to enable rotation of the LCD content display through all available content screens. o Rotation duration is configurable from 1 - 30 seconds. Added new “ppsctrl” CLI interface command. o This new command provides the ability to enable/disable the 1PPS outputs in the system using a telnet/ssh connection, in lieu if of using the web browser. Added a report of the selected PPS reference to the CLI ‘status’ command message, when the SecureSync is synced to another NTP server on the network. Added commented set options to email configuration file to show how to send the username in a notification email as something other than "root@", followed by domain name. o Capability to edit this email alert value previously existed in all earlier versions of software. But, the example email config file did not provide information on changing this value. www.spectracomcorp.com 3 | SecureSync Release Notes 4.x Added ability to restore the factory default configuration during a software update. Added support for new Fiber Optic 1PPS and IRIG Option Cards o o o o Model 1204-1E (4) IRIG Output Fiber Optic Model 1204-27 (2) IRIG Input / (1) IRIG Output Fiber Optic Model 1204-2A (1) PPS Input / (2) PPS Output Fiber Optic Model 1204-2B (4) PPS Output Fiber Optic (Version 4.8.6) Option Card features (Model 1204-12 PTP Option Card, if installed): Added “Forced Holdover” mode (Replaces “Alternate Master” mode) o Applicable only to PTP Slave mode (not PTP Master mode) o Enabling this mode suspends the phase and frequency corrections of the PTP clock. System features Added a feature to allow the system PPS to restart tracking of the 1PPS input reference. o (Setup -> Disciplining page of the web browser) This new feature can be used to allow rapid alignment of the system 1PPS with an input 1PPS reference, which is useful in cases where either the system 1PPS has drifted far from the reference (because the reference has been lost for an extended period of time and is then restored) or if the reference 1PPS has changed by a large offset. Otherwise, the System PPS is very slowly slewed into alignment with the 1PPS reference. Added a feature to allow the user to set an offset of +0 seconds when configuring a leap second. o Selecting “+0” will clear the previously configured leap second. Added a new CLI command called ‘syncstate’ which will return the synchronization status of the system. o Returns the value of “Sync”, “Holdover” or “Free Run”. Added a feature to allow the user to disable the SecureSync’s position information from being displayed on the front panel LCD (Setup -> Front panel page). Updated the Spectracom organization and address information in the Global MIB file. Added a feature to display the system hostname and Spectracom logo icon on the web browser window tabs. Re-ordered the log tabs on the Tools -> Logs page of the web browser. Added a feature to allow enable/disable and prefer of the Local reference clock driver for NTP from the Web UI (Network –> NTP Setup page, “NTP Servers” tab) o When disabled, this can help prevent NTP from switching back and forth from Stratum 16 to a higher Stratum (such as Stratum 1 or 2), when NTP is syncing to a marginal input reference (such as one with high jitter, for instance). www.spectracomcorp.com 4 | SecureSync Release Notes 4.x Combined the “Time Scale” and “Local Clock” selection fields on the web browser configuration page for the front panel display (Setup -> Front panel page). Added a new Oscillator Disciplining Status page to the web browser (Status -> Disciplining page). o Reports phase errors, TFOM and MaxTFOM values, etc. o Adds new indications for when the following conditions last occurred since power-up: The TFOM value last changed (Defaults to “1 JAN 2000 00:00:01” if SecureSync hasn’t synced yet). Note: The following default to “None” if SecureSync hasn’t synced yet): Input References last changed. SecureSync declared either Sync or loss of Sync status. SecureSync went into or out of Holdover mode. (Version 4.8.5) System features Network/ General Setup page of the browser, “General” tab, now displays the hostname assigned to SecureSync. Increased the maximum number of remote Syslog servers from 5 to 8. (Version 4.8.4) System features Users can now save and re-save (overwrite existing) the configuration archive file via the web browser. o Performing a “Restore configuration” will delete the configuration archive file. Added fields in the Status / NTP page of the browser to display the NTP Leap Indicator (LI) Bits for each configured NTP server, NTP peer, and reference clock drivers. o The NTP LI bits indicate the sync state of the NTP reference and if a leap second is scheduled to occur. Added a mechanism to automatically restart NTP when it has only one available reference and if that reference changes its time by more than 10 minutes. o Example: User/User is the only valid input reference and if a user manually changes the time by more than 10 minutes, NTP will be restarted. Otherwise, NTP would stop using the reference. (Version 4.8.2) Option Card features Released four new Option Cards (Models 1204-21, 1204-26, 1204-28 and 1204-29). www.spectracomcorp.com 5 | SecureSync Release Notes 4.x System features Added software support for four new Option Cards (Models 1204-21, 1204-26, 1204-28 and 1204-29). Added feature to support separate on-time point pulse widths from standard pulse widths for generated square wave outputs. Oscillator disciplining enhancement that provides a growing time constant to provide better phase noise. This results in fewer adjustments to the oscillator control DAC. MAC address is now only displayed on the Web UI for users with admin rights. Implemented new front panel “Power” LED indications: o GREEN w/ ORANGE BLINKING: Power fault; Power inputs don’t match configuration o ORANGE SOLID – DC ONLY – DC only power detected; AC & DC supported o ORANGE SOLID – AC ONLY – AC only power detected; AC & DC supported o GREEN SOLID: All configured power is present Added additional password security options, configurable from the Web UI. o Added configurable password complexity requirements. Added a new read-only object to the SNMP MIB to allow getting the system time and date. o New versions of the SNMP MIB files are available to support this new capability. (Version 4.8.0) Option Card features Released new Stanag Option Cards (Models 1204-1B and 1204-1D). System features Added “out-bound” network tools to the command line interface for troubleshooting network issues associated with the SecureSync’s network. o Added the following network troubleshooting tool commands: ifconfig, arp, rarp, route, netstat, domainname, dig, host, nslookup and traceroute Added SNMP trap and/or Email alerts upon each SecureSync reboot (when enabled). o The new reboot trap/email alert requires new MIB files to be compiled in the SNMP Manager (the new MIB files can either FTP/SCP transferred out of the SecureSync’s home/spectracom/mibs directory or emailed from Spectracom Tech Support. Added new “Battery Backed Clock” option for those customers who don’t care about accurate, traceable time to external references (those that desire to just have a relative time source, instead of deriving time from an external time reference). Added the ability for SecureSync to declare Time Sync after each boot-up, with no additional user-interactions being required. o Earlier versions of software required user-interaction for those who wanted SecureSync to sync with no external time reference, as the time had to be manually set to declare it valid after every reboot/power cycle. This new checkbox alleviates this user-interaction requirement. (Version 4.7.0) www.spectracomcorp.com 6 | SecureSync Release Notes 4.x Option Card features Released new “Event Capture with Broadcast” Option Card (Model 1204-23) System features Faster GPS synchronization after reboots/power cycles. o When using GPS as a SecureSync input reference, the time it takes for GPS to re-synchronize after any subsequent reboots or power cycles that may occur is now significantly reduced. In previous versions of software SecureSync could take anywhere up to about 13 minutes to resynchronize with GPS. This delay was needed in order to read the UT1 time correction provided in the GPS ephemeris data message (which is broadcasted by the GPS satellites every 12.5 minutes), prior to being able to achieve GPS sync Starting with version 4.7.0 software, after the GPS receiver has initially obtained the UT1 correction value from the GPS satellites and upon each power-up thereafter, SecureSync will now assume this correction value is unchanged since it was last powered down. So GPS sync will now occur shortly after the GPS receiver is tracking at least four satellites, instead of having to wait for the GPS receiver to read this specific data from GPS. This change results in GPS sync typically occurring within about 2 to 3 minutes after each boot-up. In the highly unlikely chance that a UTC leap second has been asserted since SecureSync was last shutdown, a one second time correction will occur after initial time sync to GPS has been achieved. (This new UT1 correction value would then be used for all subsequent reboots). Added new “Save Log Files” field to the “Tools”/ “Upgrade/Backup” page of the web browser and a “savelog” command to the list of available commands for the front panel SERIAL port. o The “Save Log Files” field or the “savelog” command issued via the front panel can create a bundled file of all of the SecureSync’s log entries. Once this bundled file (named “securesync.log”) has been created and placed in the “home/spectracom/xfer/log/” directory, this file can then be manually transferred out of SecureSync using FTP or SCP, in order to extract all log files with a single file for archiving purposes, or if is necessary to send the logs to Spectracom Tech Support for review. Added “stateset” to the list of available commands for the front panel SERIAL port. o The “stateset” command can be used to perform either of the following from the front panel: 1) Read the configured entries in the Input Reference Priority table. 2) Enable/disable (or change the priority of) each of the individual entries in the Input Reference Priority table. Added “clean” to the list of available commands for the front panel SERIAL port. o The “clean” command resets the SecureSync back to factory default configurations and deletes log files (“Clean” does not reset the GPS receiver or the stored GPS position information). Applicable only to SecureSyncs with a SAASM GPS receiver installed, added “HotStart” to the list of available commands for the front panel SERIAL port. www.spectracomcorp.com 7 | SecureSync Release Notes 4.x (Version 4.6.0) Enhanced networking functionality relating to the available multiple port Ethernet Option Card (Model 1204-06) o Added Static Route control for all interfaces and a main/common route section. o New routing tables were added to allow SecureSync to be able to exchange packets with subnets that are not directly connected to the base SecureSync Ethernet port or to the three available Ethernet ports of the Gigabit Ethernet Option Card (subnets that are connected via routers to the networks connected directly to the SecureSync). Each of the three network ports on the Gigabit Option Card now has an available default gateway address for configuring the router’s address for each network port. The new “main” routing table is used to route network traffic that does not originate from networks connected directly to SecureSync (such as unrequested SNMP traps that can be sent from SecureSync upon events occurring). o Enhanced front panel LCD display/keypad operation and CLI interface to support the changes made to the network functionality. Faster NTP synchronization (time to transition out of Stratum 16) after each power cycle/reboot o Once SecureSync has declared Sync with one or more input references (such as GPS, IRIG, User set time, etc., as indicated by the front panel Sync LED turning green), NTP will now achieve synchronization (as indicated by Stratum 1, Stratum 2, etc), much faster than in earlier versions of the SecureSync software. The NTP’s “minpoll interval” was changed in this version from 64 seconds to 16 seconds, so NTP can poll the System Time much faster, resulting in NTP Stratum 1 synchronization (after each power-up/reboot) in about 5 minutes, instead of about 17 minutes, as was required in earlier versions. (Version 4.5.0) Added a new “Oscillator” Log to the list of available SecureSync logs (Tools / Logs page of the web browser). Enhanced security / login capabilities: (Tools /Users page of the web browser, Security tab) o Configurable idle time-outs (can either disable or configure how long after no activity before the need to login again) o Password aging (can enable the ability to either prevent the passwords from being changed, and/or configure them to expire, before or after a configurable amount of time). o Password complexity (can enable minimum criteria for new passwords, when they are created) o Can remove default factory accounts Hard-coded in software (not configurable) www.spectracomcorp.com 8 | SecureSync Release Notes 4.x o Limits the number of failed login attempts before needing to wait to try again. o Password re-use (can’t re-use the last 10 previously-used passwords). Enhanced the “version” CLI command to be able to query for the specific versions of the different SecureSync modules (Apache, SSH, SSL, etc). Added support for Simulcast features (CTCSS/Data Clock/Data Sync) Option Card (Model 120414). Added support for RS-485 Communication Protocol Option Card (Model 1204-0B). Added support for a four 1PPS outputs Option Card (Model 1204-18). Added support for the Alarm Relay (Minor/Major alarm) Option Card (Model 1204-0F). Added support for the four square wave output Option Card (Model 1204-17). Added support for the new SAASM GPS receiver Option Card (Model 1204-1A). Added support for the new four output IRIG Option Card (Model 1204-15). Added support for the new PTP Master/slave Option Card (Model 1204-12). Implemented changes for SNMP monitoring: o Added new Net-SNMP MIB file (for generic start, restart or shut-down traps). o Implemented ability to configure/control the Input Reference Priority table via SNMP. o Added new CLI command (“testevent”) to send test notifications (SNMP traps and email alerts). Added indication for type of 10 MHz Oscillator installed (as viewed in the Status / Time and Frequency page of the web browser). Configurable support for access to the web UI from load sharing systems that make requests from multiple IPs. Reversed the order of log entries (the latest log entries are now at the beginning of the log files). Added the SecureSync Model and Serial Number to the web browser. Implemented NTP “manycast” mode (supported via NTP expert mode). Added “Client key” generation for NTP Autokey. Implemented new NTP Status graphs (as viewed on the Status / NTP page of the web browser, “Time Offset”, “frequency Offset” and “RMS Jitter” tabs). Improved the logging of Option Card configuration changes (Tools/ Logs page of the browser, “Journal” log). Added a notice to the GPS Receiver mode configuration (Standard/Mobile) for invalid combinations with associated Dynamics codes. Enabled a new feature that allows the Tx enable line to the UART in the “Simulcast 485 communications option card” to be controlled by software. (Version 4.4.0) www.spectracomcorp.com 9 | SecureSync Release Notes 4.x Added Demo support for Simulcast features/option cards. Added Demo support for new SAASM GPS receiver option card. Added Demo support for new PTP input/output option card. Added several new 30 minute and 15 minute Time Zone Offsets to Setup/Local Clock page o Previously, Local Clocks could only be configured for whole hour UTC offsets. Added several new partial hour Time Zone Offset values to select from in the “Manual UTC Offset” drop-down box (for countries outside of the US). “clean” and “cleanhalt” commands can now be issued via the front panel “SERIAL” port. o These two commands allow SecureSync to be either reset to factory default values and then power cycled (“clean”) or to be reset to factory default values and then halted for equipment shutdown (“cleanhalt”) using the front panel RS-232 port. (Version 4.3.1) An optional user-defined login banner was added o An optional banner can be configured for display on the login page each time a user attempts to login to SecureSync. The user-defined banner is configured in the Network / General Setup page of the browser (in the “Banner” tab). An example of a login banner that can be displayed, if desired, is a phrase that states “A user must be authorized to access this appliance. Just knowing the login password is not sufficient for access”. Added two new proprietary ASCII timecode messages for use with the RS-485 and RS-232 ASCII Option Cards. (Version 4.2.0) Implemented changes to support the Gigabit Ethernet Option Module (P/N 1220-06) which adds capability of having three additional Ethernet ports (in addition to the base Ethernet port supplied with all SecureSync appliances). o The Gigabit Ethernet Option Module (For three additional Ethernet ports) was made available for SecureSync. Version 4.2.0 software changes were incorporated to accommodate the configuration of the three additional Ethernet ports that are provided by this Option Module. o In support of multiple Ethernet ports, added a Management Access table to define which network computers can access SecureSync using the available Management protocols (such as HTTPS, telnet, SSH, etc). Added “idle-time login” restrictions and a logout button to the web browser. o For security purposes, added a logout button to the SecureSync’s web browser interface. o For security purposes, users are automatically logged out of the web browser interface 15 minutes after the last keyboard or mouse-click has occurred. Note: The SecureSync’s login screen will look a little different with version 4.2.0 software installed (it is now a conventional web page instead of a pop-up window). This change is to incorporate the above network security features, as well as to allow support for planned additional network security features (such as limited number of login retries, a login banner, etc) to be added in future software releases. www.spectracomcorp.com 10 | SecureSync Release Notes 4.x (Version 4.1.0) Implemented “Expert Mode” for NTP configuration o Normally, NTP is configured using the SecureSync’s web browser pages. Some users may prefer to edit the NTP.conf configuration file directly, instead of using the supplied web browser pages. Expert Mode allows the NTP.conf file to be edited directly by a user. Please refer to the SecureSync instruction manual for more information on the Expert Mode prior to using this new configuration method. Improved SNMP/Event Notification capability and added Email alert capability o Added a web browser Notification page to configure whether each SecureSync event that may occur (such as loss of Time Sync, going into or out of the Holdover mode, etc) will trigger an SNMP trap or an email (or both) to be sent out to a desired email recipient. In version 4.0.0, two SNMP traps were available, the Time Sync trap and the Holdover trap. Version 4.1.0 also adds several new available traps, such as a minimum satellites trap, frequency alarm traps, etc., Each SNMP trap can be either selected or de-selected, as desired. Added the ability to either enable /disable for NTP to “prefer” the System Timing references and configuration to either use or not use the System Time’s 1PPS when using SecureSync as a Stratum 2 time server o The NTP Servers table (located on the Network/NTP Setup page, NTP Servers tab) contains two new checkboxes. One checkbox allows the System Time references to be selected/de-selected as an input to NTP. The other checkbox allows the System Time 1PPS to be selected/deselected as an input to NTP. Prior to having these checkboxes available, NTP performance could be affected by either poor System Time reference inputs or when using SecureSync as a dedicated Stratum 2 time server. Implemented Mobile mode for GPS reception o The GPS receiver, when installed, can now be configured to operate in a mobile environment (such as on an airplane, ship/boat, truck, etc). www.spectracomcorp.com 11 | SecureSync Release Notes 4.x Software enhancements: (Version 4.8.9) Option Card enhancements (All Models of 1PPS Output Option Cards, if installed): SecureSync now allows more than (12) 1PPS outputs. All (6) Option Bays containing 1PPS Output Option Cards is now supported. (Model 1204-06 Gigabit Option Card, if installed): Upgraded the network processor driver to a newer version to help prevent potential of network packets being dropped. Also disabled network flow control. (Models 1204-02 and 1204-04 ASCII Output Option Cards, if installed): Fixed minor issues with 5040 and 5101 ASCII Output messages o Fixed a defect in which TFOM would display incorrect values, 5101 messages would be output when TFOM > 7 and NavConv was NEVER being cleared. Now if SecureSync exits sync, NavConc is 1 and if not in Sync or Holdover, NavConf is 0. 5101 messages are now only outputted when TFOM <=7 and message is enabled or connected. Also, TFOM is set to 9 if SecureSync is not in sync and is the actual value when SecureSync is in sync. (Models 1204-1A SAASM GPS Receiver Option Cards, if installed): Resolved an issue which was preventing the zeroize CLI command from working. System enhancements Option 04: Rubidium Oscillator, when installed: Shortened Rubidium oscillator sync time after each subsequent boot-up. o After a sync threshold of 3.5 hours, the currently calculated frequency error correction is saved when entering holdover, in addition to the 24 hour save. Option 04: Rubidium Oscillator, when installed: Fixed an issue that could cause a TFOM value of “1” to be reported at system boot-up. Fixed a minor issue with Low Phase Noise (LPN) Rubidium oscillator tracking while in Holdover mode (no input references present and valid). Network Access table is now properly backed-up and restored when using either the Save Configuration” or “Restore Configuration” processes (Tools -> Upgrade/Backup page of the browser, “Configuration” tab). IPv6 main default gateway can now be configured. SSH Rate limiting fix o Resolved an issue of login counts not being cleared. Resolved an issue with the User Defined Minor and Major GPS Threshold alarms counters. www.spectracomcorp.com 12 | SecureSync Release Notes 4.x o The elapsed count-down timers weren’t resetting if the GPS receiver started tracking greater than the number of specified satellites again, before the counter expired. Text of “ss.tar” was erroneously being displayed while performing a software upgrade using the web browser. The Services controller daemon is now restarted whenever a network service is enabled or disabled. Resolved an issue with the “Version” field in the Network -> SNMP Setup page of the web browser (“Notifications” tab) displaying a “null” when “V3” is selected. Fixed an issue when using ASCII input and external 1PPS input as the selected Input References. o Resolved an issue where external 1PPS input validity could be affected if a user was to detach the 1PPS input cable or switches the Data Format in the ASCII time code generator. (Version 4.8.8) Option Card enhancements (Model 1204-02 ASCII RS-232 Option Card, if installed): (Applicable to ASCII 5101 Input messages only) improved processing of Day of Year (DOY) information (Model 1204-12 PTP Option Card, if installed): PTP configuration changes are now being recorded in the Journal log. “Sync-E” was removed from the web browser. Fixed an issue where only 4 installed PTP Option Cards were supported. o Slots 5 and 6 weren’t able to support PTP Option Cards being installed, when PTP Option Cards were also installed in Slots 1 through 4. (Model 1204-17 Square wave output Option Card, if installed): Couldn’t set period and scale without error o Period and Scale values are now calculated at the same time to avoid incompatibilities. (Model 1204-28 Option Card, if installed): Added control for the third 1PPS output o Earlier software versions did not display configuration selections for all three separate 1PPS outputs that are available from this Option Card. Instead it displayed only two (The 3rd 1PPS output was still present, but it was not configurable). (Model 1204-0B RS-485 Comm Protocol Option Card, if installed): Modified rgcs command to output support for up to 12 satellites. (8 or more satellites display as a value of “8”). www.spectracomcorp.com 13 | SecureSync Release Notes 4.x raeh output message contained an extra linefeed 0x0A value. Removed to make message 39 characters long. Security related software changes incorporated Updated Apache web server to version 2.2.23 to mitigate potential vulnerabilities: o (CVE-2012-0053) “Apache httpOnly Cookie Disclosure”. o (CVE-2012-0031) “Apache denial of service”. o (CVE-2011-3607) “Apache Integer overflow in the ap_pregsub function in server/util.c”. o (CVE-2011-3192) “httpd Range header remote DoS”. o (CVE-2000-0868) “Apache CGI Source Code Viewing Vulnerability”. Changed factory default RSA Private key Bit length to 2048 and added support for SSH Elliptic Curve DSA (ECDSA) keys of 512, 384, 521 bits. Added ‘autocomplete=off’ to password input line on login page to mitigate potential security vulnerability "Web Server Allows Password Auto-Completion (PCI-DSS variant)" System enhancements Syslog log messages now report the current hostname, rather than a hard-coded hostname of "Spectracom”. (Version 4.8.7) Option Card enhancements (Model 1204-12 PTP Option Card, if installed): PTP Clock Identity values of all 1’s are recognized and acknowledged to PTP Master as valid. Removed the following web browser tabs associated with PTP for simplification of setup: o PTP Setup Module Tab o PTP Setup Statistics Tab o PTP Setup VLAN Tab (Model 1204-05 and 1204-15 IRIG Option Cards, if installed): The IEEE 1344 Extensions, when configured to be included in the IRIG output data stream’s “Control Functions” (CF) fields, now only provide Local time (DST and Time Zone Offset) information if a Local Clock name has been selected as the output timescale. (Models 1204-02 and 1204-04 ASCII output Option Cards, if installed): Removed support for Spectracom Format 4 as an input reference selection for synchronization. Fixed a case where the Timing System would lock up, requiring a reboot, if switching from a selected format to the “NONE” drop-down, when using the ASCII output. www.spectracomcorp.com 14 | SecureSync Release Notes 4.x (Applicable only to Model 1204-02) ASCII RS-232 Option Card now aligns the PPS input signal to the rising edge, rather than the falling edge. (Model 1204-0B RS-485 Comm Protocol Option Card, if installed): Modified the RGCS command to report information on all 12 GPS receiver channels (instead of just 8 channels). o The maximum number of reported satellites being tracked is “8” (even if the GPS receiver is tracking 12 satellites, for instance). Added 1FO, ACD and AT3 commands to emulate RS485 communications with Model 8195 series Master Oscillators. System enhancements Resolved an issue with the commercial GPS receiver restarting its GPS survey after each power-up, if the GPS Mode configuration has been repeatedly toggled between available modes (From Standard mode to Continuous/Mobile mode, and then back to Standard mode again, for instance). o Normally, the 34 minute GPS Survey is only performed once, after the first power-up at a new location. o The GPS receiver restarting its GPS survey after each power-up was delaying the time required to attain initial time synchronization to GPS after each power-up. When creating a new Local Clock (Setup -> Local Clock page of the web browser), corrected a defect forbidding the use of Local Clock names which are super-sets of other local clock names that already exist. o An example of this includes not being able to create a new Local Clock with the name of “UTC-5”, because a factory default system Local Clock name of “UTC” already exists. The Software Update process was made to be more robust and continues, even if individual Option Card updates happen to fail. o Update process logging is improved to include recording when the software update process begins. o Adds more details concerning any update problems which may have occurred during the update process. New Log entries can now be written after log files have been cleared. o A System Reboot is no longer required to be performed after deleting log files. (Applicable only to SecureSync’s with a Rubidium oscillator installed) Corrected display of “DAC Get Errors” being displayed in the Status -> Disciplining page of the web browser. (Applicable only to SAASM GPS receiver installed) Improved Leap Second and UTC-GPS offset detection. Fixed a very minor reporting issue when performing a ‘status’ CLI command with NTP disabled, which caused the top of the response to indicate "error: heading". (Version 4.8.6) www.spectracomcorp.com 15 | SecureSync Release Notes 4.x Option Cards enhancements (Model 1204-06 Gigabit Option Card, if installed): Fixed a defect that can potentially (and randomly) cause dropped network packets, without any notification this is occurring. o Could result in loss of ping, HTTP/HTTPS, NTP, SNMP, etc. o This applies only to the three network ports on this Option Card (Eths 1, 2 and 3. Does not apply to the base Ethernet port – Eth0 - installed on all SecureSyncs). (Model 1204-12 PTP Option Card, if installed): Fixed a condition that can cause a one second PTP output time error when SecureSync is first synced to a Stratum 1 time server via NTP and if the PTP Option Card is configured as a PTP Master. Fixed a defect that caused the software update of multiple PTP option cards to fail. Important Note: SecureSyncs with multiple PTP Option Cards installed must first be updated to special release version 4.8.P prior to updating to version 4.8.6 in order to update more than one installed PTP Option Card. Contact Tech Support for more information or to obtain the version 4.8.P software update file. Fixed a defect that caused the PTP Option Card to not respond to ping requests. Fixed a defect that caused the Web browser update page to stall when updating this Option Card. Removed FTP configurations for software update from the web browser o Software updates to the PTP Option Card are handled by the SecureSync Update process. Manual FTP update file transfers directly to the PTP module are not needed. (Models 1204-01 and 1204-18 1PPS input Option Cards, if installed): Made improvements to the FPGA implementation to address 5ns shifts of the 1PPS output when these Option Cards are installed in rear panel slots 5 or 6. (Model 1204-0F Relay Option Card, if installed): Fixed a minor issue that caused relay configuration information to persist if this Option Card had been removed. (Models 1204-02 and 1204-03 ASCII Option Cards, if installed): Fixed an ASCII output RS-232 interfaces simultaneously. Fixed an issue that prevented generation of emulated SAASM GPS messages on multiple Fixed a defect that required an NMEA 0183 GGA message to have HDOP >= 1.0 in order to be used for synchronization. After this fix, HDOP >= 0.0 is required for synchronization. System enhancements www.spectracomcorp.com 16 | SecureSync Release Notes 4.x Fixed a defect that caused changes to the syslog configuration to not be recorded in the Journal log. Improved the descriptive text of several of the Web browser pages. Fixed a defect that could cause the quick phase alignment of the system 1PPS to the reference to continue for an indefinite period of time (now limited to 60 seconds). Fixed a defect that caused the System Time to be offset by approximately 500ms after a power cycle. Fixed a defect that caused the domain name entry on the network interface configuration page to persist after being deleted. Fixed a defect that caused the configuration archive file to be deleted following a configuration restoration. Fixed a defect that prevented the names of local clocks from using non-alpha-numeric characters. o The local clock names must now consist of a single word made up of the following characters: A-Z, a-z, 0-9, +, -, and _. A space character will be replaced with an underscore. Fixed a defect that caused reload of Web UI pages to default to the first tab on the page instead of the previously selected tab on the page. Fixed a defect that caused the previous HTTPS certificate request to be displayed when creating a new HTTPS certificate request. (Version 4.8.5) (Applicable only to SecureSyncs with Archive version 4.8.4 software installed and one of more Model 1204-12 PTP Option Cards currently installed): Fixed a defect in the Setup/Inputs (or Setup/Outputs) PTP Option Card page of the browser which prevented some of the tabs from being displayed and therefore prohibited configuration of the installed PTP Option Cards(s). (Version 4.8.4) Software changes incorporated for potential security vulnerabilities Fixed a defect that was preventing a fix added in version 4.8.2 software against a potential security vulnerability (“CVE-2011-3389 Protocol Weak CBC Mode”) from being applied during a software update. Other software enhancements Users can now save and re-save (overwrite the existing) configuration archive file via the web browser. o Performing a “Restore configuration” will delete the configuration archive file. www.spectracomcorp.com 17 | SecureSync Release Notes 4.x Fixed defects affecting the processing of leap second insertion when using a System “Time Scale” selection of either GPS or TAI time scale (as configured in the Setup/Time Management page of the browser). Moved the oscillator DAC messages from the “Timing” log to the “Oscillator” log. Also removed redundant frequency error log messages from the “Timing” log (which were also present in the “Oscillator” log, as well). Added a display of the selected “Local Clock” name to the Status/Outputs/IRIG as well as the Status/ Inputs/IRIG web browser pages. o If no local clock is selected for IRIG Input/Output, the “Local Clock” field will display “NONE”, instead. Lengthened the “Time Scale” data fields in the ASCII (RS-232 and RS-485) and NENA Option Card’s Status/inputs configurations, in order to show the entire name of the selection. Fixed a typographical error on a note that is displayed in the “Security” tab of the Tools/Users page of the browser. (Version 4.8.2) Software changes incorporated for potential security vulnerabilities Applied changes to the ssl.conf configuration file to mitigate CVE-2011-3389 (SSLv3.0/TLSv1.0 Protocol Weak CBC Mode). Other software enhancements Added protection against an NTP input reference from scheduling a” Leap Second pending” too early. o A Leap second pending that is detected by NTP input earlier than one month before a leap second is to be asserted aren’t scheduled until no earlier than the first day of either the following June or following December, to prevent System Time from asserting the Leap Second too early. Fixed a minor defect causing “Not Supported” to be displayed when resetting the admin password from the front panel keypad. Fixed a defect causing the unit to add an entry to the Journal log that the battery-backed time sync is changed/enabled, every time the Setup / Time Management page of the browser is submitted by a user. Fixed a defect causing a DHCP lease to be used instead of a user-configured static IP address. Fixed a defect causing the DNS servers and host name values to not be retained after submitting a change to them from the web browser. Fixed a defect that was causing units with a commercial GPS receiver installed to potentially enter holdover for 130 seconds after a GPS Week rollover. www.spectracomcorp.com 18 | SecureSync Release Notes 4.x Fixed an issue that prevented creation of a local system clock with a name that is a substring of another name for a local system clock. Fixed a defect that caused single-satellite mode to fail in some SecureSyncs with a commercial GPS receiver installed. Fixed a defect that was preventing the clearing of GPS settings, Reference Priority Table, and Local System Clocks back to the factory default state, after a clean operation was performed. Status/Power page of the browser now only displays the AC and/or DC input power configuration(s) which is actually installed. o For example, if the NTP server is configured for AC input only, DC input power status is no longer displayed on this page of the browser. (Version 4.8.0) Software package version updates for potential vulnerabilities Apache web server software updated to version 2.2.21 to address security vulnerabilities in earlier versions. OpenSSL software updated to version 1.0.0e to address security vulnerabilities in earlier versions. OpenSSH software updated to version 5.9p1 to address security vulnerabilities in earlier versions. Other software enhancements Fixed a defect in setting local clocks in ASCII, EBU, IRIG, Display, and HaveQuick components which resulted in a local clock being set on a different instance than the one selected Fixed a minor issue that caused the Web browser to stop responding after configuring SNMP. o If the “User/Community” field in the “Notifications” tab was left blank when the Submit button was pressed, the web browser was no longer accessible, until a “clean” command was performed). Fixed a limitation that wouldn’t allow creation of new usernames that were a sub-string of another username that already existed. o Examples include “admin” (a sub-string of the “spadmin” account) and “user” (a sub-string of “spuser” account). Fixed a defect that didn’t allow the setting of IPv6 addresses in the web browser. Fixed a defect that caused the HTTPS certificate request to contain truncated fields (Network / HTTPS/SSH Setup page of the web browser, HTTPS tab). Applicable to the PTP Option Card only- Added “P2P” (Peer to Peer mode) to the “Delay Mechanism” drop-down field in the PTP Protocol tab o Previous versions of software only allowed “E2E” (End to End) Delay mechanism to be selected. The “Clean” command now restores the GPS receiver to factory default mode. www.spectracomcorp.com 19 | SecureSync Release Notes 4.x o Mobile or Single Satellite modes are now returned to factory default Stationary mode upon a “clean” command being issued). Fixed an issue where NTP wasn’t reporting stratum 16, while NTP was out of sync. Fixed an issue that caused the reported phase error to not degrade when all input references were removed on SecureSyncs that are equipped with Rubidium oscillators (Status / Time and Frequency page of the browser). A User is now logged out automatically, after clearing the unit’s configurations (as performed in the Tools / Upgrade /Backup page of the browser, Configuration tab). LDAP certificates are now preserved across software updates and also deleted when clearing the unit’s configuration (as performed in the Tools / Upgrade /Backup page of the browser, Configuration tab). Fixed a defect that didn’t allow leap second information from the timing system to be propagated by NTP. Removed Web browser configuration for notifications (SNMP traps and email alerts) that are not currently supported (Tools / Notifications page of the browser). Fixed a defect that didn’t allow the update of the PTP Option Card firmware, when it was in master mode (when the available PTP Option Card is installed). Fixed a defect that did not allow backup/restore of the input reference priority table. Fixed a defect in the Web UI that caused the IRIG instance numbers in reference priority table to not be displayed. Fixed a defect that caused IRIG configuration setting to revert to other values after reboot. Fixed a defect that caused the timing system to be updated with the wrong time during update of the PTP option card. Fixed a defect that caused some Option Card update FPGA images to be written incompletely to the serial flash, resulting in an FPGA that would not program properly. (Version 4.7.0) Fixed two issues associated with SecureSyncs that have a Rubidium oscillator installed, when entering the Holdover mode (not applicable to SecureSyncs with either an OCXO or low phase noise OCXO oscillator installed). o While in the Holdover mode (no valid input references currently being available), two potential conditions can occur: 1) The SecureSync’s 1PPS output can become erratic/unstable. 2) The SecureSync’s System Time can significantly drift off from the correct time, causing significant time errors to occur. Resolved an issue where only one user can be logged into the SecureSync web browser without causing another user to be automatically exited out of the web browser. www.spectracomcorp.com 20 | SecureSync Release Notes 4.x NTP will now automatically restart if a System Time change greater than 1000 seconds occurs o If “System Time” (which is synced by the SecureSync’s input references and is also the time reference that NTP syncs with) happens to be significantly changed (which may occur when either manually setting the System Time, or if the system switches from one selected input reference to another reference that is not aligned with the same time as the previously selected reference) and this time change is greater than 1000 seconds while NTP is running, the NTP sanity check will fail. This will cause NTP to automatically stop/restart itself in order to compensate for the necessary, large time correction. Otherwise, if the System Time happens to change by less than 1000 seconds, NTP will slowly slew itself to the new time (instead of restarting itself). Fixed a minor web browser display issue associated with the “Prefer Timing System Reference” and the “Enable Timing System 1PPS Reference” check-boxes (“Network” / “NTP Setup” page of the browser, “NTP servers” tab) o Though both of these fields are enabled by default, the check-boxes for these two fields were indicating they weren’t selected (in the background, these functionalities were being enabled, but the two checkboxes were just indicating otherwise). However, if the Submit button was pressed again while in this state, the functionalities would then become disabled. Changed the default DNS server configuration to having no DNS servers specified. o Having one or both DNS server configured in the SecureSync (but no DNS server actually exists on the network with those addresses) can result in delays while trying to establish telnet, ssh, and other network-based connections with the SecureSync. These connections will attempt to communicate with the “configured” DNS servers, but if they don’t actually exist, the attempted connections will eventually just time-out. However, if no DNS servers are incorrectly configured, no attempt to contact the DNS servers will occur, alleviating any unnecessary delays when establishing these connections. Added necessary additional spaces to the EndRun “ER” and “ERX” ASCII output formats IP address/prefix fields are now grayed-out on the web browser when DHCP is enabled. o Prevents the ability to manual change network settings that have been configured by a DHCP server. Having a local clock selected for the front panel LCD display will no longer affect the UTC time in the system. o System Time can now be manually entered using the time scale that it is configured to display (if the LCD displays local time, the time can be manually entered as local time, instead of needing to first convert local time to UTC in order to enter the time as UTC time). Corrected an issue with displaying/changing the SNMP notification “Port #” in the “Network”/ “SNMP Setup” page of the web browser (“Notifications” tab). The web browser login banner (if one has been created), Security certificates and public/private HTTPS keys are now preserved through a “clean” command. Fixed an issue that could periodically prevent the NTP statistics graphs from being displayed in the web browser. www.spectracomcorp.com 21 | SecureSync Release Notes 4.x (Version 4.6.0) Improved DNS server functionality o DNS servers are now managed per each network interface (Eth0, Eth1, Eth2 and Eth3). o The web browser now supports two DNS servers per network interface. Fixed a minor issue that prevented certain unique network IP address values from being able to be configured via the front panel LCD (but could still be successfully configured via the web browser). Applicable to the PTP Option Card module (Model 1204-12): Added a “Peer Delay” feature for use with Transparent PTP clocks. CLI “Clean” command no longer responds with additional “jibberish”, when command is issued. (Version 4.5.1) Resolved a limitation of not being able to exceed a total of 12 IRIG outputs from SecureSync (via installed Option Cards). o Increased the total number of available IRIG outputs that can be supplied via multiple installed Option Cards to 24 (this value is based on all six available slots having 4-IRIG Output Cards installed). (Version 4.5.0) Cleaned up both the list of available CLI commands (deleted a couple of commands that were no longer going to be implemented) and the “CLI help”. GPS receiver now supports negative altitude (Below Sea Level). GPS alarm thresholds can now be disabled (Minimum satellite alarms). Fixed an issue with a Rubidium 1PPS output offset occurring at start-up (Applicable only to SecureSyncs with a Rubidium (Rb) oscillator installed). o Eliminated a 150ns-180ns variable offset to the 1PPS after each start-up (After each start-up, this 1PPS offset value wasn’t consistently the same value). “GPS Qualification” log now shows all 3600 seconds of each hour (was intermittently displaying less than 3600 seconds for the hour, such as 3599 seconds instead of 3600). Added a sub-second placeholder of “x.00” (tenths and hundredths of a second) to the NMEA ASCII Data streams. o The NMEA 0183 specifications require the hour, minute and second time data be provided in the ASCII data streams. Sub-second time information is optional, per this specification. However, if a manufacturer of a device does not closely follow the NMEA 0183 data stream specifications, they may expect to see sub-second data values included in the input data streams. Version 4.4.S adds a sub-second tenths and hundredths place-holder value to the ASCII data streams for those systems that may be expecting to see sub-second values provided in the input data stream. Resolved a web browser display issue when no GPS receiver is installed in the appliance. o Error messages were being asserted in the System log if displaying certain web pages when the 30 second screen refresh occurs. www.spectracomcorp.com 22 | SecureSync Release Notes 4.x Updated the ICD153 ASCII output from the ASCII time code Option Cards (Models 1204-02 and 1204-04) to provide better interoperability with a SINCGARS radio system. Daylight Saving Time (DST) in user-configurable Local System Clocks can now be configured to occur in the last week of the month, if necessary. Added rotation of NTP statistics logs (NTP peerstats, clockstats and loopstats) (Version 4.4.0) Improved NTP performance by making NTP a higher priority. o Due to the priority settings of NTP, the NTP output was exhibiting higher jitter measurements, as compared with other NTP servers on the same network (as viewed with an NTPQ peers command). Increased the priority of NTP for improved performance of NTP. If an ASCII RS-485 or RS-232 option card is installed in SecureSync, this update fixes an issue that was causing SecureSync to lock-up if an ASCII reference was applied to the input of this option card (the ASCII option cards’ outputs operated normally). Changed the “Reference Status” table indications (“Status”/”Time and Frequency” page of the web browser). o This status table lists all available input references that can be provided to SecureSync (such as GPS, IRIG, Stanag, ASCII data, etc). If each listed input either has no external reference signal connected to it or the external reference is considered invalid, the fields in the table will no longer indicate “ALARM” (with a red fill). The fields will now display “Not Valid” (with orange fill) instead. (Version 4.3.2) Prevents intermittent/erroneous “Frequency Error” alarms from occurring when a Rubidium oscillator is installed (On rare occasions, these alarms were still occurring in version 4.3.1 software). o Resolved an intermittent issue with the 1PPS input reference provided to the Rubidium oscillator for the internal disciplining of its 10 MHz output. (Version 4.3.1) Prevents intermittent/erroneous “Frequency Error” and “Oscillator Maintenance” alarms from occurring when a Rubidium oscillator is installed. Also prevents large phase noise measurements from intermittently occurring. o Measurements of the Rubidium oscillator’s output frequency were being affected by the oscillator internally changing its time constants while in the middle of performing frequency measurements. This was affecting the formula that is used to calculate the frequency error, which was resulting in the calculated frequency errors intermittently and erroneously being www.spectracomcorp.com 23 | SecureSync Release Notes 4.x larger than they actually were. These large frequency error calculations were intermittently asserting the “Frequency Error” alarm. o An intermittent 1PPS reference input to the Rubidium oscillator was causing large phase error measurements. The ASCII timecode Data Format 09 output (Available with an RS-232 or RS-485 ASCII time code Option Module installed) was not using the correct Quality indicators when SecureSync was not synchronized to any input references. o Data Format 09 was selecting the Format 02 Quality indicators instead of the Format 09 Quality indicators (a space when in sync or the letters A, B, C or D were being inserted for loss of sync instead of the correct indication of a space when in sync or the characters of an “*”, “ #”, “.” or “?” being inserted for loss of sync). (Version 4.2.1) Static network settings are not able to be saved after a “Clean” of the configuration files has occurred. o After the configurations are cleaned (reset back to the factory default values) either at the factory prior to initial shipment or in the field using the web browser, static network settings are not able to be configured and retained. (Version 4.1.0) Added the ability to select a “Local Clock” (via the web browser) in order to offset the LED time display for local time. o “Local Clock” allows the output time to be offset for local Time Zone and DST Rules. Version 4.0.0 allowed a Local Clock for the front panel LED time display to be selected via the front panel LCD and keypad, but not via the web browser. Version 4.1.0 adds a “Local Clock” dropdown selection to the “Setup”/ “Front Panel” page of the web browser in order to configure the front panel LED time display. Added ability to send each individual log file to a Syslog server. o Version 4.1.0 adds fields to define up to five separate Syslog servers to be able to send each log file to a Syslog server for remote log storage. GPS altitude field now allows a negative value (Below Sea Level) to be entered. o Version 4.1.0 now allows a negative value to be entered in the GPS altitude field. Previously, only positive values would be accepted. Added support for the RS-485 and RS-232 ASCII time-code (RS-485 and RS-232) Input/Output Option Modules o Version 4.1.0 allows ASCII time-code Input/Output Option Modules to be installed. www.spectracomcorp.com 24 | SecureSync Release Notes 4.x Determining the version of software currently installed To determine the current software version of your SecureSync: A) Using the newer web browser interface (Software versions 5.1.0 and above) Log in to the unit’s web browser user interface. At the top of the page, click on “Tools”. In this dropdown, click on “Upgrade/Backup”. The “System Configuration” table on this page will contain a field stating “System”. The number next to this is the current Archive software version. Refer to Figure 1. Figure 1: Software revision reported in the “Tools” -> “Upgrade/Backup” Page B) Using the “Classic Interface” (Software versions 5.0.2 and below) Log in to the unit’s web browser user interface. At the top of the page, click on “Tools”. In this dropdown, click on “Versions”. The “System Version” table on this page will contain a field stating “Archive version”. The number next to this is the current Archive software version. Refer to Figure 2. Indication of the current Archive software version installed. Figure 2: Archive software revision reported in the “Tools” -> “Versions” Page www.spectracomcorp.com 25 | SecureSync Release Notes 4.x Links to download SecureSync software and user manual updates Download SecureSync software updates: The SecureSync software update can be downloaded from the Spectracom website. To obtain the SecureSync software update file, please visit: http://www.spectracomcorp.com/Support/HowCanWeHelpYou/Software/tabid/61/Default.aspx#SecureSync SecureSync user manual updates: Manual updates reflecting the software changes have been uploaded to the Support page of Spectracom’s website. Please refer to: http://www.spectracomcorp.com/Support/HowCanWeHelpYou/Library/tabid/59/Default.aspx?EntryId=218 to download the latest version of the SecureSync manual. Hard copies of the new SecureSync manual may also be purchased from the Spectracom Sales department at US +1.585.321.5800. www.spectracomcorp.com 26 | SecureSync Release Notes 4.x Spectracom Tech Support Please contact one of the global Spectracom Technical Support centers for more information regarding any of these features or fixes: USA www.spectracomcorp.com | [email protected] | 1565 Jefferson Road, Suite 460 | Rochester, NY 14623 USA | +1.585.321.5800 FRANCE www.spectracom.fr | [email protected] | 3 Avenue du Canada | 91974 Les Ulis, Cedex | +33 (0)1 64 53 39 80 UK www.spectracom.co.uk | [email protected] | 6A Beechwood | Chineham Park | Basingstoke, Hampshire, RG24 8WA | 44 (0)1256 303630 www.spectracomcorp.com 27 | SecureSync Release Notes 4.x